This role is used in Kubernetes the not so hard way with Ansible - Control plane. It installs the Kubernetes API server, scheduler and controller manager. For more information about this role please have a look at Kubernetes the not so hard way with Ansible - Control plane.
I tag every release and try to stay with semantic versioning. If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag 17.0.0+1.23.3 means this is release 17.0.0 of this role and it's meant to be used with Kubernetes version 1.23.3 (but should work with any K8s 1.23.x release of course). If the role itself changes X.Y.Z before + will increase. If the Kubernetes version changes X.Y.Z after + will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
This role requires that you already created some certificates for Kubernetes API server (see Kubernetes the not so hard way with Ansible - Certificate authority (CA)). The role copies the certificates from k8s_ca_conf_directory to the destination host. You should also setup a fully meshed VPN with e.g. WireGuard (see Kubernetes the not so hard way with Ansible - WireGuard) and of course an etcd cluster (see Kubernetes the not so hard way with Ansible - etcd cluster)
see CHANGELOG.md
# The directory to store the K8s certificates and other configuration
k8s_conf_dir: "/var/lib/kubernetes"
# The directory to store the K8s binaries
k8s_bin_dir: "/usr/local/bin"
# K8s release
k8s_release: "1.25.5"
# The interface on which the K8s services should listen on. As all cluster
# communication should use a VPN interface the interface name is
# normally "wg0" (WireGuard),"peervpn0" (PeerVPN) or "tap0".
k8s_interface: "tap0"
# The directory from where to copy the K8s certificates. By default this
# will expand to user's LOCAL $HOME (the user that run's "ansible-playbook ..."
# plus "/k8s/certs". That means if the user's $HOME directory is e.g.
# "/home/da_user" then "k8s_ca_conf_directory" will have a value of
# "/home/da_user/k8s/certs".
k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}"
# Directory where kubeconfig for Kubernetes worker nodes and kube-proxy
# is stored among other configuration files. Same variable expansion
# rule applies as with "k8s_ca_conf_directory"
k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}"
# K8s control plane binaries to download
k8s_controller_binaries:
- kube-apiserver
- kube-controller-manager
- kube-scheduler
- kubectl
# K8s kube-(apiserver|controller-manager-sa) certificates
k8s_certificates:
- ca-k8s-apiserver.pem
- ca-k8s-apiserver-key.pem
- cert-k8s-apiserver.pem
- cert-k8s-apiserver-key.pem
- cert-k8s-controller-manager-sa.pem
- cert-k8s-controller-manager-sa-key.pem
# K8s API daemon settings (can be overridden or additional added by defining
# "k8s_apiserver_settings_user")
k8s_apiserver_settings:
"advertise-address": "{{hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address}}"
"bind-address": "{{hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address}}"
"secure-port": "6443"
"enable-admission-plugins": "NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
"allow-privileged": "true"
"apiserver-count": "3"
"authorization-mode": "Node,RBAC"
"audit-log-maxage": "30"
"audit-log-maxbackup": "3"
"audit-log-maxsize": "100"
"audit-log-path": "/var/log/audit.log"
"event-ttl": "1h"
"kubelet-preferred-address-types": "InternalIP,Hostname,ExternalIP" # "--kubelet-preferred-address-types" defaults to:
# "Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP"
# Needs to be changed to make "kubectl logs" and "kubectl exec" work.
"runtime-config": "api/all=true"
"service-cluster-ip-range": "10.32.0.0/16"
"service-node-port-range": "30000-32767"
"client-ca-file": "{{k8s_conf_dir}}/ca-k8s-apiserver.pem"
"etcd-cafile": "{{k8s_conf_dir}}/ca-etcd.pem"
"etcd-certfile": "{{k8s_conf_dir}}/cert-k8s-apiserver-etcd.pem"
"etcd-keyfile": "{{k8s_conf_dir}}/cert-k8s-apiserver-etcd-key.pem"
"encryption-provider-config": "{{k8s_conf_dir}}/encryption-config.yaml"
"kubelet-certificate-authority": "{{k8s_conf_dir}}/ca-k8s-apiserver.pem"
"kubelet-client-certificate": "{{k8s_conf_dir}}/cert-k8s-apiserver.pem"
"kubelet-client-key": "{{k8s_conf_dir}}/cert-k8s-apiserver-key.pem"
"service-account-key-file": "{{k8s_conf_dir}}/cert-k8s-controller-manager-sa.pem"
"service-account-signing-key-file": "{{k8s_conf_dir}}/cert-k8s-controller-manager-sa-key.pem"
"service-account-issuer": "https://{{ groups.k8s_controller|first }}:6443"
"tls-cert-file": "{{k8s_conf_dir}}/cert-k8s-apiserver.pem"
"tls-private-key-file": "{{k8s_conf_dir}}/cert-k8s-apiserver-key.pem"
# The directory to store controller manager configuration.
k8s_controller_manager_conf_dir: "/var/lib/kube-controller-manager"
# K8s controller manager settings (can be overridden or additional added by defining
# "k8s_controller_manager_settings_user")
k8s_controller_manager_settings:
"bind-address": "{{hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address}}"
"secure-port": "10257"
"cluster-cidr": "10.200.0.0/16"
"allocate-node-cidrs": "true"
"cluster-name": "kubernetes"
"authentication-kubeconfig": "{{k8s_controller_manager_conf_dir}}/kube-controller-manager.kubeconfig"
"authorization-kubeconfig": "{{k8s_controller_manager_conf_dir}}/kube-controller-manager.kubeconfig"
"kubeconfig": "{{k8s_controller_manager_conf_dir}}/kube-controller-manager.kubeconfig"
"leader-elect": "true"
"service-cluster-ip-range": "10.32.0.0/16"
"cluster-signing-cert-file": "{{k8s_conf_dir}}/cert-k8s-apiserver.pem"
"cluster-signing-key-file": "{{k8s_conf_dir}}/cert-k8s-apiserver-key.pem"
"root-ca-file": "{{k8s_conf_dir}}/ca-k8s-apiserver.pem"
"requestheader-client-ca-file": "{{k8s_conf_dir}}/ca-k8s-apiserver.pem"
"service-account-private-key-file": "{{k8s_conf_dir}}/cert-k8s-controller-manager-sa-key.pem"
"use-service-account-credentials": "true"
# The directory to store scheduler configuration.
k8s_scheduler_conf_dir: "/var/lib/kube-scheduler"
# kube-scheduler settings
k8s_scheduler_settings:
"bind-address": "{{hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address}}"
"config": "{{k8s_scheduler_conf_dir}}/kube-scheduler.yaml"
"authentication-kubeconfig": "{{k8s_scheduler_conf_dir}}/kube-scheduler.kubeconfig"
"authorization-kubeconfig": "{{k8s_scheduler_conf_dir}}/kube-scheduler.kubeconfig
"requestheader-client-ca-file": "{{k8s_conf_dir}}/ca-k8s-apiserver.pem"
# By default all tasks that needs to communicate with the Kubernetes
# cluster are executed on local host (127.0.0.1). But if that one
# doesn't have direct connection to the K8s cluster or should be executed
# elsewhere this variable can be changed accordingly.
k8s_controller_delegate_to: 127.0.0.1
# The port the control plane components should connect to etcd cluster
etcd_client_port: "2379"
# The interface the etcd cluster is listening on
etcd_interface: "tap0"
# The etcd certificates needed for the control plane components to be able
# to connect to the etcd cluster.
etcd_certificates:
- ca-etcd.pem
- ca-etcd-key.pem
- cert-k8s-apiserver-etcd.pem
- cert-k8s-apiserver-etcd-key.pemThe kube-apiserver settings defined in k8s_apiserver_settings can be overridden by defining a variable called k8s_apiserver_settings_user. You can also add additional settings by using this variable. E.g. to override audit-log-maxage and audit-log-maxbackup default values and add watch-cache add the following settings to group_vars/k8s.yml:
k8s_apiserver_settings_user:
"audit-log-maxage": "40"
"audit-log-maxbackup": "4"
"watch-cache": "false"The same is true for the kube-controller-manager by adding entries to k8s_controller_manager_settings_user variable. For kube-scheduler add entries to k8s_scheduler_settings_user variable to override/add settings in k8s_scheduler_settings dictionary.
- hosts: k8s_controller
roles:
- githubixx.kubernetes-controllerGNU GENERAL PUBLIC LICENSE Version 3